增加web严格模式 web.strictMode=false（更严格的数据安全验证，如isAll=true这种参数形式将被禁用）

modules/core/src/main/java/com/jeesite/modules/sys/web/AreaController.java

@@ -63,7 +63,7 @@ public class AreaController extends BaseController {
 	 * 查询区域数据
 	 * @param area
 	 */
-	@RequiresPermissions("user")
+	@RequiresPermissions("sys:area:view")
 	@RequestMapping(value = "listData")
 	@ResponseBody
 	public List<Area> listData(Area area) {

modules/core/src/main/java/com/jeesite/modules/sys/web/CompanyController.java

@@ -70,7 +70,7 @@ public class CompanyController extends BaseController {
 	 * 查询公司数据
 	 * @param company
 	 */
-	@RequiresPermissions("user")
+	@RequiresPermissions("sys:company:view")
 	@RequestMapping(value = "listData")
 	@ResponseBody
 	public List<Company> listData(Company company, String ctrlPermi) {
@@ -209,7 +209,7 @@ public class CompanyController extends BaseController {
 		List<Map<String, Object>> mapList = ListUtils.newArrayList();
 		Company where = new Company();
 		where.setStatus(Company.STATUS_NORMAL);
-		if (!(isAll != null && isAll)){
+		if (!(isAll != null && isAll) || Global.isStrictMode()){
 			companyService.addDataScopeFilter(where, ctrlPermi);
 		}
 		List<Company> list = companyService.findList(where);

modules/core/src/main/java/com/jeesite/modules/sys/web/LoginController.java

@@ -24,6 +24,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import com.fasterxml.jackson.annotation.JsonView;
 import com.jeesite.common.codec.DesUtils;
 import com.jeesite.common.config.Global;
 import com.jeesite.common.lang.StringUtils;
@@ -344,6 +345,7 @@ public class LoginController extends BaseController{
 	@RequiresPermissions("user")
 	@RequestMapping(value = "menuTree")
 	@ResponseBody
+	@JsonView(Menu.SimpleView.class)
 	public List<Menu> menuTree(String parentCode) {
 		if (StringUtils.isNotBlank(parentCode)){
 			return UserUtils.getMenuListByParentCode(parentCode);

modules/core/src/main/java/com/jeesite/modules/sys/web/OfficeController.java

@@ -67,7 +67,7 @@ public class OfficeController extends BaseController {
 	 * 查询机构数据
 	 * @param office
 	 */
-	@RequiresPermissions("user")
+	@RequiresPermissions("sys:company:view")
 	@RequestMapping(value = "listData")
 	@ResponseBody
 	public List<Office> listData(Office office, String ctrlPermi) {
@@ -222,7 +222,7 @@ public class OfficeController extends BaseController {
 		Office where = new Office();
 		where.setStatus(Office.STATUS_NORMAL);
 		where.setCompanyCode(companyCode);
-		if (!(isAll != null && isAll)){
+		if (!(isAll != null && isAll) || Global.isStrictMode()){
 			officeService.addDataScopeFilter(where, ctrlPermi);
 		}
 		List<Office> list = officeService.findList(where);

modules/core/src/main/java/com/jeesite/modules/sys/web/PostController.java

@@ -131,7 +131,6 @@ public class PostController extends BaseController {
 
 	/**
 	 * 获取岗位树结构数据
-	 * @param isAll			是否显示所有机构（true：不进行权限过滤）
 	 * @param isShowCode	是否显示编码（true or 1：显示在左侧；2：显示在右侧；false or null：不显示）
 	 * @return
 	 */

modules/core/src/main/java/com/jeesite/modules/sys/web/user/EmpUserController.java

@@ -95,7 +95,7 @@ public class EmpUserController extends BaseController {
 	public Page<EmpUser> listData(EmpUser empUser, Boolean isAll, String ctrlPermi, HttpServletRequest request, HttpServletResponse response) {
 		empUser.getEmployee().getOffice().setIsQueryChildren(true);
 		empUser.getEmployee().getCompany().setIsQueryChildren(true);
-		if (!(isAll != null && isAll)){
+		if (!(isAll != null && isAll) || Global.isStrictMode()){
 			empUserService.addDataScopeFilter(empUser, ctrlPermi);
 		}
 		empUser.setPage(new Page<>(request, response));
@@ -175,7 +175,7 @@ public class EmpUserController extends BaseController {
 	public void exportData(EmpUser empUser, Boolean isAll, String ctrlPermi, HttpServletResponse response) {
 		empUser.getEmployee().getOffice().setIsQueryChildren(true);
 		empUser.getEmployee().getCompany().setIsQueryChildren(true);
-		if (!(isAll != null && isAll)){
+		if (!(isAll != null && isAll) || Global.isStrictMode()){
 			empUserService.addDataScopeFilter(empUser, ctrlPermi);
 		}
 		List<EmpUser> list = empUserService.findList(empUser);
@@ -367,7 +367,7 @@ public class EmpUserController extends BaseController {
 		empUser.setRoleCode(roleCode);
 		empUser.setStatus(User.STATUS_NORMAL);
 		empUser.setUserType(User.USER_TYPE_EMPLOYEE);
-		if (!(isAll != null && isAll)) {
+		if (!(isAll != null && isAll) || Global.isStrictMode()) {
 			empUserService.addDataScopeFilter(empUser, ctrlPermi);
 		}
 		List<EmpUser> list = empUserService.findList(empUser);

modules/core/src/main/java/com/jeesite/modules/sys/web/user/SecAdminController.java

@@ -50,7 +50,7 @@ public class SecAdminController extends BaseController {
 		return "modules/sys/user/secAdminList";
 	}
 
-	@RequiresPermissions("user")
+	@RequiresPermissions("sys:secAdmin:view")
 	@RequestMapping(value = "listData")
 	@ResponseBody
 	public Page<User> listData(User user, HttpServletRequest request, HttpServletResponse response) {

modules/core/src/main/resources/config/jeesite-core.yml

@@ -414,7 +414,7 @@ mybatis:
   
 # Web 相关
 web:
-  
+
   # MVC 视图相关
   view:
     
@@ -463,7 +463,7 @@ web:
   validator:
     id: '[a-zA-Z0-9_\-/#\u4e00-\u9fa5]{0,64}'
     user.loginCode: '[a-zA-Z0-9_\u4e00-\u9fa5]{4,20}'
-
+  
   # 核心模块的Web功能（仅作为微服务时设为false）
   core: 
     enabled: true

modules/core/src/main/resources/views/themes/default/modules/sys/sysIndex/topMenu.html

@@ -48,6 +48,8 @@
 								if($('.sidebar-menu').length == 1){
 									$(window).trigger("hashchange");
 								}
+							}else{
+								location = '${ctx}/login';
 							}
 						}, 'html');
 					}

web/src/main/resources/config/application.yml

@@ -476,6 +476,9 @@ logging:
 #  # 静态资源路径前缀，可做CDN加速优化
 #  staticPrefix: /static
 #  
+#  # 严格模式（更严格的数据安全验证）
+#  strictMode: false
+#  
 #  # 自定义正则表达式验证（主键、登录名）
 #  validator:
 #    id: '[a-zA-Z0-9_\-/#\u4e00-\u9fa5]{0,64}'